Coordinated Disclosure Timeline
- 2023-06-16: Sent report to VMware.
- 2023-06-16: VMware confirmed receiving the report.
- 2023-06-28: Additional inquiry from VMware.
- 2023-08-31: Security advisory was published by VMware as VMSA-2023-0019 / CVE-2023-20900.
A SAML authentication bypass vulnerability was found in the vgauth module of the VMware tools (open-vm-tools).
VMware Tools and open-vm-tools
Authentication bypass (
A SAML authentication bypass vulnerability was found in the
vgauth module of VMware Tools that allows an attacker in a privileged position to sign any SAML assertions with their own key. This is due to how
vgauth uses the
libxmlsecurity library to verify the signature of a SAML token. When
libxmlsecurity is used in combination with a key manager the origin of the public key for the signature verification is, unfortunately, not restricted by default. That means an attacker can sign the SAML assertions themselves and provide the required public key (e.g. an RSA key) directly embedded in the SAML token.
Log entries of a failed authentication attempt
A successful authentication attempt with SAML token that was signed by an attacker seems to be indistinguishable from an authentication attempt with a token that was signed with the originally intended private key. A failed authentication attempt with a potentially forged token might however leave logs like this in the
vgauthsvc.log log file on the guest VM:
[2023-09-09T17:17:17.123Z] [ warning] [VGAuthService] XML Error: func=xmlSecOpenSSLEvpSignatureVerify:file=evp_signatures.c:line=368:obj=rsa-sha256:subj=unknown:error=18:data do not match:details=EVP_VerifyFinal: signature does not verify [2023-09-09T17:17:17.123Z] [ warning] [VGAuthService] VerifySignature: Signature is invalid (got 2)
The VMware advisory contains following notes regarding the attack vector:
A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias.
This issue was discovered and reported by GHSL team member @p- (Peter Stöckli).
You can contact the GHSL team at
email@example.com, please include a reference to
GHSL-2023-138 in any communication regarding this issue.